You are on page 1of 8

Data Protection Policy and Procedures

QC CLT is committed to protecting the personal information it holds and respecting the privacy
of the individual, in accordance with the requirements of the Data Protection Act.


‘Data’ may be recorded on paper, electronically, computerised or on other material.

‘Data Controller’ (DC) is the person, elected by the Board, who determines the purposes
and manner in which any Personal Data are, or are to be, processed. The DC is the person the
ico hold liable for ensuring Personal Data is correctly held and processed by QC CLT.

‘Data Subject’ is the individual who is the subject of Personal Data

‘Information Commissioners Office’ (the ico) is the statutory body charged with
regulating and holding a register of data holders.

‘Notification’ is the process of notifying the Data Protection Authority ( the ico ) of the
purposes for which Personal Data is held / processed

‘Personal Data’ are Data which relate to a living individual who can be identified from
those Data. (This includes Sensitive Data)

‘Sensitive Data' is Data pertaining to but not limited to: racial or ethnic origin; religious or
similar beliefs; trade union membership; physical or mental health or sexual life; political
opinions; criminal offences. This Data may only be held in strictly defined situations or where
explicit consent has been obtained.

‘Subject Access’ is the right of individuals to have knowledge of the Data held about them
and other related information

‘The Act’ is the Data Protection Act 1998 (as amended)

1    Data Protection Policy & Procedures, Issue 1 
The Act seeks to protect an individual against the unfair use of personal information and sets out
the following three fundamental principles:-

1. The right of an individual to know what Personal Data is being held and to be able to
check its accuracy; (Subject Access)
2. That Personal Data should be used only for the specific purposes for which it was
obtained and held, and should not be disclosed to those not authorised to have it and;
3. That a Government agency with a Data Protection Registrar should regulate and enforce
proper standards relating to Personal Data.

The Act identify 8 principles which govern the protection of Personal Data as summarised

The Eight Data Protection Act Principles

These specify that Personal Data must be:

1. Processed fairly and lawfully.

2. Obtained for specified and lawful purposes.
3. Adequate, relevant and not excessive.
4. Accurate and up to date.
5. Not kept any longer than necessary.
6. Processed in accordance with the Data Subjects rights under The Act.
7. Kept securely.
8. Not transferred to any other country without adequate protection being in place.

2    Data Protection Policy & Procedures, Issue 1 

The QC CLT Board is responsible for:‐ 
1. Appointing a Director with specific responsibility for Data Protection (the Data 
2. Ensuring ALL communication containing Personal Data are copied to the Company 
3. Referring all requests for Personal Data to the Data Controller for action. All such 
requests to be in writing; 

The Data Controller is responsible for :‐ 
1. Ensuring that everyone handling Personal Data understands that they are responsible 
for working to the legal requirements in respect to such Personal Data; 
2. Ensuring that queries about Personal Data are promptly and courteously dealt with and 
that the Board, where appropriate, is kept informed of such requests for Personal Data; 
3. Ensuring that registration with the ico is maintained and up to date; (Notification) 
4. Ensuring that QC CLT handles Personal Data in accordance with the 8 principles of Data 
This will require:‐ 

i. Writing a short briefing paper / list of references, on the subject of Data 
Protection, and distributing it to both directors and others who may 
handle / process Personal Data on our behalf; 
5. Conducting an audit, in conjunction with the Company Secretary, every five years of the 
Personal Data systems and report to the Board their findings. 

The Company Secretary is responsible for :‐ 
1. Ensuring that the Agenda of the first Board meeting after the AGM contains :‐ 
i. the election of the Data Controller; 
ii. declaration by Board members that they have read, understood and agree to 
abide by the QC CLT Data Protection P & P ; 
2. Establishing an appropriate filing system for holding Personal Data, and that the Data is 
appropriately destroyed when no longer required; 
3. Establish with the sender or Data Subject as appropriate, that the Personal Data may be 
held and used by QC CLT in pursuit of its business; 
4. Seeking advice from the Data Controller when new circumstances arise; 
5. Ensuring that Minutes and other Documents produced by QC CLT do not include 
Personal Data that is not covered by our Notification to the ico; 

3    Data Protection Policy & Procedures, Issue 1 
6. Contacting every member, requesting that they confirm their current contact details at 
5 yearly intervals. Those that do not respond will be marked as dormant on the share 
7. Archiving the completed and closed ‘Request for Personal Data Forms’ and associated 

4    Data Protection Policy & Procedures, Issue 1 

1. ALL instances were Personal Data may be involved should be referred to the Data 
Controller for advice and direction as to whether the Data falls within The ACT, QC CLT’s 
registration, and how it should be handled; 
2. Electronic Files will be backed‐up quarterly and these will be kept stored securely away 
from the main computers; 
3. Paper and Electronic files will be kept securely at the Registered Office of QC CLT and 
will only be removed by the Company Secretary when being used at meetings or 
working groups; 
4. No QC CLT electronic files are to be stored on the “cloud” or other internet based file 
servers ( as we can not guarantee the physical location of these servers) except for 
emails AND then care should be taken to ensure that any Personal Data contained in 
emails is kept to the absolute minimum. 

Request for Personal Data 
ALL written Requests for Personal Data (RPD) shall be channelled to the Data Controller; 

1. The Data Controller will complete Part A of the Request for Personal Data Form 
(attached) stating :‐ 
i. RPD Reference Number (RPDRN)(this will take the form of RPD yy (year) / nn 
(sequence number)); 
ii. Date Request received by Data Controller; 
iii. Form raised by  (Name of Data Controller filling in the form); 
iv. Requester ( Name and Contact details of the person / organisation making the 
v. Details of the Request; 
2. Raising a unique reference number for each piece of correspondence relating to the 
request (this will be the RPDRN / nn where nn is a sequence number), and log its 
existence on the RPD Correspondence Log Form on the reverse of the associated RPD 
3. The Data Controller will write / email the requester to acknowledge receipt of the 
request and ask for clarification of why the Data is requested if this is not clear; 
4. The Data Controller shall authenticate the requester and review the request, and if it is 
not legitimate (i.e. if, in the opinion of the Data Controller, after having taken advice, 
the requester does not have a legitimate reason to request the Data), then write to the 
requester, thanking them for their correspondence but declining the request and giving 
his reasons, then record the actions taken on the RPD Form and close the request. 
5. For legitimate requests, the Data Controller shall request the appropriate fee from the 

5    Data Protection Policy & Procedures, Issue 1 
Request for Personal Data Form 
RPD   yy / nn

Part A

Date Requested.

Form raised by.


Details of Request.

Part B

Response Details.

7    Data Protection Policy & Procedures, Issue 1 
RPD Correspondence Log Form 

RPD   Date   Date   Notes 

yy / nn Received  Sent 










8    Data Protection Policy & Procedures, Issue 1